On Wed, 2014-11-05 at 12:24 +0200, Christos Tsantilas wrote: > On 11/04/2014 02:26 PM, James Lay wrote: > > > > Thanks a bunch Christos, > > > > That list of IP's is things like apple.com, textnow.me, and windows > > updates...IP's that simply don't bump well. My setup is a linux box > > that's a router...one NIC internal IP, the other external IP. Via > > iptables redirect, I'm transparently intercepting the web traffic of a > > few devices, only allowing them access to the list of sites in url.txt. > > At issue with using the broken_sites list, is that I have to just > > specify large chucks of netblocks, which I lose control and visibility > > of. What I'm really hoping for is for a way for squid to be able to, in > > my case at least, look at either the server_name extension in the Client > > You need to build your own external_acl helper which will take as input > the client sni (server_name extension). Read squid wiki for informations > about external acl helpers: > http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29 > > It is easy to build one in perl or as a shell script. I am suggesting to > build an external_acl helper which return "OK" when the sni matches or > no sni information exist. > > You can use the following configuration or similar: > # > external_acl_type EXTACL %ssl::>sni /path-to-my/external-acl-helper.sh > acl EXTACL external EXTACL > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > # At first step peek all > ssl_bump peek step1 all > ssl_bump splice step2 EXTACL > ssl_bump bump all > > > > Hello, or, if that's not present, look at the dNSName of certificate > > being sent, check the access against url.txt, and either allow or deny. > > In your case the server certificate informations will not work well. At > the time this information is available: > 1) in peek mode, you can not bump any more > 2) in stare mode, you can not splice any more. > There are exceptions to the above rules (for example in case the client > uses the same SSL library with squid) but the SSL protocol is enough > safe to not allow us to make something better than this. > > Regards, > Christos > > > > > Ssl_bump does work well for most sites...and I understand we are > > performing a man in the middle attack so it's not supposed to be easy. > > Again my hope isn't really to perform a mitm...more of an access control > > type thing. Thanks again Christos...I hope I explained this well > > enough. > > > > James > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Thanks so much Christos for taking time with this. I'll give the helper a go and report my results here. James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
